Thrifted.mt LogoTHRIFTED.mt
MENU

Privacy Policy

Last updated: March 2026

1. Introduction

Welcome to Thrifted.mt. We respect your privacy and are committed to protecting your personal data. This privacy policy informs you as to how we look after your personal data when you visit our website (regardless of where you visit it from) and tells you about your privacy rights and how the law protects you.

"Thrifted.mt" refers to the online marketplace platform operating in Malta for buying and selling second-hand items.

2. Data We Collect

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

  • Identity Data: includes first name, last name, username or similar identifier. For sellers undergoing ID verification, this also includes images of government-issued ID documents (see Section 4).
  • Contact Data: includes email address, delivery address and telephone number.
  • Financial Data: includes bank account number (IBAN) and payment card details. Your IBAN is encrypted at rest and used solely to process earnings withdrawals (see Section 4a). Payment card details are processed exclusively by our payment provider, Stripe and are never stored by us.
  • Transaction Data: includes details about payments to and from you and other details of products you have purchased from or sold on our platform.
  • Technical Data: includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location and operating system and platform.
  • Profile Data: includes your username, password, purchases or orders made by you, your interests, preferences and feedback.

3. How We Use Your Data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • Performance of Contract: Where we need to perform the contract we are about to enter into or have entered into with you (e.g., processing an order, facilitating a sale).
  • Legitimate Interests: Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (e.g., fraud prevention, platform security).
  • Legal Obligation: Where we need to comply with a legal or regulatory obligation (e.g., anti-money laundering regulations).

4. ID Verification

To maintain a safe marketplace, we require sellers to verify their identity before listing items for sale.

  • Collection: We collect images of government-issued ID documents (Passport, National ID Card, Driving Licence). You also provide explicit GDPR consent at the point of upload and a timestamp of that consent is recorded.
  • Processing, Human Review Only: All ID verification is carried out exclusively by a member of our team. We do not use bots, AI models or automated decision-making to process, review, approve or reject your identity documents. Your document image is reviewed solely to confirm authenticity and match it to your account name.
  • Temporary Storage: Upon upload your document is placed in a secure temporary storage bucket. This bucket applies automatic deletion after 24 hours via lifecycle rules, ensuring the document cannot persist if review is delayed.
  • Encryption & Archive: If your verification is approved, the document is encrypted using AES-256-GCM with a key held separately from the data, then moved to a restricted archive bucket. If rejected, the document is deleted immediately from all storage.
  • Retention: Archived ID documents are retained for a maximum of 180 days from the date of verification, after which they are permanently deleted. You may request early deletion at any time by contacting gdpr@thrifted.mt.
  • Audit Logs: For legal and fraud-prevention compliance, access logs relating to ID verification actions are retained for 7 years. These logs contain only metadata (action type, timestamp, user/verification ID) and never the document image itself.
  • Legal Basis: Processing is necessary for performance of contract (enabling you to sell on the platform) and our legitimate interest in fraud prevention.

4a. IBAN (Bank Account Number)

To allow sellers to withdraw their earnings, we collect and store an International Bank Account Number (IBAN).

  • Collection: Your IBAN is entered voluntarily in your account profile. It is not required to buy or to list items, only to withdraw funds from your Thrifted balance.
  • Encryption: Your IBAN is encrypted using AES-256-GCM immediately upon saving and is stored in this encrypted form. It is decrypted server-side only at the moment a withdrawal is processed and is never transmitted to or stored by any third party.
  • Access: Your decrypted IBAN is accessible only to authorised Thrifted.mt staff for the purpose of processing your withdrawal payment. It is not shared, sold or used for any other purpose.
  • Retention: Your IBAN is retained as long as it is saved in your profile. You may update or remove it at any time from your profile settings.
  • Legal Basis: Processing is necessary for performance of contract (fulfilling your request to be paid for sales).

5. Cookies and Consent

We use cookies to improve your experience.

  • Strictly Necessary Cookies: Required for the website to function (e.g., login sessions, security). These do not require consent.
  • Analytics Cookies (Google Analytics): Used to understand how you interact with the website. These are NOT set unless you explicitly give consent via our Cookie Banner. You can withdraw this consent at any time.

6. Third-Party Services

We may employ third-party companies and individuals to facilitate our Service ("Service Providers"), to provide the Service on our behalf, to perform Service-related services or to assist us in analyzing how our Service is used.

  • Stripe: Payment processing. Stripe handles and stores all payment card data under their own PCI-DSS-compliant terms. We do not store card numbers.
  • Cloudflare: Web hosting, DDoS protection and image storage/optimisation (Cloudflare R2 & Images). ID documents and encrypted data are stored in Cloudflare R2.
  • Google Analytics: Website usage analytics, only activated with your explicit cookie consent.
  • Google Generative AI (Gemini): Used for automated listing data extraction and generation. Your listing images are processed by this AI only when you use the "Bulk Upload" feature or when you explicitly choose the AI auto-fill option during single item creation.

These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

7. Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Access to your personal data is limited to those employees, agents, contractors and other third parties who have a business need to know.

8. Your Rights

Under the General Data Protection Regulation (GDPR), you have the right to:

  • Request access to your personal data.
  • Request correction of your personal data.
  • Request erasure of your personal data ("right to be forgotten").
  • Object to processing of your personal data.
  • Request restriction of processing your personal data.
  • Request transfer of your personal data ("data portability").
  • Withdraw consent at any time where we are relying on consent to process your personal data.

9. Account Deletion and Retained Data

You can request account deletion at any time from your profile settings (Danger Zone) or by emailing gdpr@thrifted.mt.

  • Erased on deletion: Profile data (name, username, avatar, location, date of birth, IBAN), ID verification records/documents, saved items and account notifications.
  • Retained where required: Wallet balances, wallet transaction ledger and order/payment records for 10 years from transaction date (accounting, tax and financial compliance).
  • Fraud/dispute retention: Marketplace communication/moderation records (including messages, offers and reports) for up to 6 years after account closure or longer where required for an active legal claim or law-enforcement request.
  • Security/audit retention: Security and audit metadata (for example access and account-security logs) for up to 7 years.
  • Legal basis for retention: Legal obligation and legitimate interests (fraud prevention, dispute handling, law-enforcement cooperation and financial auditing).
  • Effect: Deleted accounts are deactivated and cannot continue normal platform use without support review.

10. Contact Us

If you have any questions about this privacy policy or our privacy practices, please contact us at gdpr@thrifted.mt.

Cookie Preferences

Manage your analytics cookie consent. Changing your preference takes effect immediately.

Current status:Not set